Yikes. Pretty much a confirmation of the speculation that the hackers would have access to Twitter DMs. Question is, which accounts?
edit: For reference, here's what's included in the "Your Twitter Data" tool . There's some other info that may be of note than just DMs. I wonder what risks there are to knowing, for example, the past IP addresses and geolocations that VIP politicians access Twitter from? Hopefully they're behind a government VPN.
That just raises more questions for me! It would make sense if an attacker was trying to pull the data of some celebs/VIPs as an attempt to hopefully strike gold. But for them to do it on some non-verified account? That makes it seem like these specific individuals may have been targeted. If the attackers were just randomly picking accounts to download, I can't imagine them picking solely non-verifieds.
The original idea that the bitcoin scam was a diversion starts to look more plausible in this light, but in the absence of any information about the downloaded accounts, there’s really no way to guess what their value may have been and to whom.
Alternately, to throw cold water on the above, maybe the process to kick off a download for verified accounts has extra safeguards and the eight non-verified were simply tests to try to determine why the verified downloads weren’t working.
People like you're talking about don't communicate anything of value over twitter. Bezos only follows his ex-wife who doesn't follow him back, barely uses twitter and would be unlikely to have any DMs at all. After the saudi hack, I would be surprised if he has much of anything installed on his phone.
The only real reason to hack celebrity accounts in this instance, and which they should have done, would be to deflect attention from the accounts they actually went after.
I honestly didn't believe you. But it's true. That's... kinda weird.
It seems like a sophisticated attacker running a targeted attack such as a government agency would presumably have avoided doing anything noticeable like the public tweets in the hope of being able to avoid detection and target additional people in the future.
One possibility I can think of is that a state actor, such as China, was investigating state enemies, such as suspected dissidents. They wanted to get the DMs, but also didn't want the general public to catch on. So they set things up so public discourse would be centered around the Bitcoin scam and celebrity hacks.
This is still absurd to me. What diversion? Twitter knows exactly what was downloaded, and in fact they’re looking at this even closer due to the supposed diversion.
Imagine you walk by the beach, and see that the sea has washed up a pirate treasure chest. You crack it open, and see it full of gold, jewelry, old manuscripts, letters. Would you just throw the chest back into the sea, taking only a single ring, and a nail from the chest to hang a price list on your lemonade stand with?
Because that's what happened here. The attackers hit gold, and threw it all away.
The hacker managed to get an amazing level of access, but exploiting that, and extracting value from it, and getting away clean is probably really hard. So they sold the access to whoever was willing to pay for it for a guaranteed return. That also gives you an extra middleman that law enforcement has to get past before they get to you, and confusing the trail between the middleman and you might be easier than confusing the trail between your targets and you.
Except whoever paid for the access and used the exploit just didn't have the imagination to do something that made as full use of the hack as they might have done. And now dozens of other criminals are facepalming themselves to death for not having been the ones to have bought this opportunity for their own ends, which they think would have been much more epic.
Let us imagine that I am Jeff Bezos, why would I use my official account to DM people? I would rather use one where I look like everybody so that it is less likely to be the target of an attack.
AFAIK, deleting Twitter DMs only deletes the conversation from your end, so if the verified user, worried about this exact situation, periodically deletes their DMs, but the unverified user, not nearly so worried, doesn't...
Twitter is fundamentally a web app. Users can log in from any browser and read their messages, which are stored on the server. This is a very different situation from Signal or WhatsApp, where an account is tied to a device, and messages can be stored there.
The only reason someone wouldn't do this is if they didn't want the heat and if they didn't want the heat they wouldn't have hijacked high profile accounts to begin with.
They say it but downplay it very much.
Obviously this means the attackers had access to DMs.
Maybe that's going too far down the rabbit hole but I'm really curious now.
Verified accounts, are surely mostly media-company controlled?
Nowhere they say DMs of the celebrities were not accessed.
Some sort of lying by omission.
I was wondering what kind of thing some actors (possibly state-based) were going to do this election cycle since the 2016 one (hacks of Republican and Democratic emails) worked so darn well. Exfiltrating DMs seems like it's going to accomplish just about as much, if not more.
And there's no big reason to think that the exfiltration of private DMs was limited to the people that had the Bitcoin scam tweeted on their accounts.
I think the Bitcoin scam was also the perfect innocuous cover story - a legitimate motive that nevertheless leaves one with the impression that the operator is a pretty small fry. So many dismissals of it's a silly scamp wanting money but only got 12 BTC, next day's news please.
But it did put it out there so that the public (and the public needs to know to establish the credibility of the compromised data instantly, immediately, with no room for doubt) is aware a broad hack occurred, without even exposing who was targeted specifically and the BTC didn't matter one iota. Now they can trickle-feed what they actually got all the way until the election. Also, they don't care who'll win, just like the email hackers didn't in 2016. They just want to sow discord. Tweeting the same unrelated thing on so many accounts also sends the message that they're not on anyone's side.
The only reason I think Trump didn't have anything tweeted isn't because they particularly like him, but because it gives of the image of graver national security consequences.
On Trump, apparently he has more internal protections on his account than normal so it could just be that the employees they got in through didn’t have any access. https://www.nytimes.com/2020/07/16/technology/twitter-hack-i...
Verified doesn't necessarily mean important people, but rather public personality/official account. There could be hundreds of lobbyists, journalists, etc. that don't use verified accounts.
Nobody is communicating anything valuable over Twitter. This is such a ridiculous point that people bring up all the time. Scandalous relationships? Most of that will be on true messenger applications. Business deals? Business email. Many more mainstream prominent people don't even run their own account.
It's not that everyone is so security-minded, it's just that Twitter is an extremely inconvenient way to maintain personal relationships.
> I think the Bitcoin scam was also the perfect innocuous cover story
There is almost no value in DMs. Funny seeing HN speculate about these elite hackers selling them as if there's any market for them, let alone one that would pay $100k+.
GP was talking about the 2016 election, where Julian Assange and Roger Stone literally communicated strategies, for how to coordinate if the FBI came down on Assange for the leaks, via Twitter DMs. Many things going on with no Signal, PGP, etc.
It was clear publicly that Stone had a very inappropriate relationship with Wikileaks. What would you do, attempt to extort Stone for more than $100k and hope he pays? Leak little more than was publicly known?
There's a reason "slide into the DMs" is a saying: https://www.dictionary.com/e/slang/slide-into-the-dms/
It's also worth mentioning that it's very common for companies and celebrities to use Twitter DMs as a sort of "customer support" where they specifically ask people to send them private information via DM. I've seen tweets from utility companies where they say "Please send us a DM with your account number and we will look into your issue" , for example. There's the possibility for valuable information there.
Edit: The person I would consider my “best friend” we chat 100% over Instagram DM. This is a person that I can invite myself over for dinner to, that’s how close we are in case you feel like assuming we must not be good friends if we don’t just call each other or whatever. Another of my good friends, we switch between iMessages and WhatsApp I’d say 50/50, just depending on if I’m already in WhatsApp talking to someone else and decide to message her too or not.
But I guess it’s entirely possible that people put sensitive things in DMs and inexplicably just trusted Twitter with that info.
You’re right, I assume his would be one of the accounts that was exfil’ed
There is no value in Twitter DMs.
> Hitchens has phrased the razor in writing as "What can be asserted without evidence can also be dismissed without evidence."
Maybe Kanye's DMs would reveal he's really just fucking with everyone and hasn't actually completely lost it.
Well... Maybe just the former.
- "Download all my data" was mandated by GDPR (article 20)
- Right to delete, right to access made it so that there is up to a ten million dollar fine if you refuse it, so you are more prone to social engineering attacks. Meaning if some user requests access or deletion, (e.g. having forgotten their password or username) you might not be 100% sure that it's him but arguing with him or asking too personal a verification proof can get you in hot water and you'd rather not get dragged into a fight with the European committee.
- While our users could initially create an account without e-mails and be relatively anonymous, a couple of "right to access" requests from "users who have forgotten their username" means you are basically forced to require e-mail, thereby carrying even more PII unnecessarily.
It probably wouldn't have slowed the hackers down much here though.
> [Your full name and address and any other details such as account number to help identify you]
If Twitter were to vanish suddenly would these people be bothered by it for more than a month? I'm thinking there has to be at least a handful of such people.
Also, anecdotally, I heard of a parent taking away their son's game console since they were worried he was playing it all day. His response was to stare at the wall for the same amount of time instead.
I wonder what implications there would be around forcibly preventing people from using social networks if they're already wired to be used to social media.
"The recreationally outraged cancel mob"
FWIW, I actually enjoy twitter and get plenty of value from it (by selectively following interesting, intelligent people who post about things I care about) ... but your description is pretty funny -- and probably apt, at least for a sizable % of its users.
Also, disabling everything would have likely been only a very short term solution - just enough to tide you over until you understand roughly what's going on, likely less than an hour.
How many people saw the tweets and transferred bitcoins during the period in which twitter likely could have turned off everthing, but not yet blocked access to the respective accounts? Likely very few, but perhaps not 0. Whether in retrospect that makes twitters choice to stay online reasonable depends a little on how much you think twitter just got lucky that the scope of the attack was small, or that you think they knew what they were doing.
How do you know?
While it affected a bunch of popular accounts it didn't really disrupt Twitter for the rest of the user base or put them at huge risk. Disabling all accounts is maybe not even that easy to do on a scale like that where maybe then you are getting overwhelmed by retries / errors from all kinds of apps and it's even harder to control the whole situation. Just disabling high profile accounts seemed like a pretty good workaround.
At most 475 greedy idiots, average $266 each
"The most prevalent address received $120,000 in bitcoin from 375 transactions. Secondary addresses received $6,700 in bitcoin from 100 transactions. An XRP wallet netted nothing."
I assure you that World War III will not start because of a (real or faked) Tweet by President Trump, as much as CNN et al. are praying for it.
This is why sending or generating a OTP, that the user types in, is not secure. The user can be tricked into handing the OTP over the phone. Even the O365 system isn't secure (because the user can be told which number to tap over the phone).
The only secure authentication these days is a non-communicable possession: Yubikey or similar. This reflects *very poorly on Twitter opsec.
I'm not telling TOTP or hardware tokens are invulnerable, even SecurID was compromised. But having SMS as only means of 2FA is not even trying to be secure IMO, especially in India where everything from our Unique ID to Bank Accounts are dependent upon SMS OTP.
I've been asking the Banks to implement TOTP in vain.
For something to reflect very poorly on twitter opsec, I would expect it to be something that is below what the average tech company was doing. e.g. There was some news article claiming [Without a whole lot of evidence] that the compromised tool used a shared password that was posted as the topic of a slack channel. Now if that was actually true, I think that would fit the description of "very poor" opsec.
Google embarked on their BeyondCorp/zero-trust initiative after the 2009 Chinese APT breach. The teams working on their internal security had firepower and support from the very top of the organisation - and it took them seven years to get from "we want to make entire classes of attacks impossible" to "we can now enforce it".
The disappointing truth in tech is that - apart from a few exceptions - security gets only superficial attention, because doing it right is a long-term investment. You need to be reliably profitable for that.
Between this breach, the hacking of Jack Dorsey, the “rogue employee” account deactivation of Donald Trump, and I’m sure more that I’m not aware of, would any reasonable IT/security person claim that Twitter takes security seriously?
I believe I’m quite right in saying that Twitter as a platform has been one of the most damaging things to happen to our democracy in recent history. Its toxic effects on discourse and polarization are well documented.
With that, and the revelation that they couldn’t take security less seriously if they tried, I would implore all reading to delete their Twitter accounts.
I personally have 3 Yubikeys, one on my keyring, one in my small first aid kit (which is kept in my backpack and usually close to me) and one that doesn't ever travel with me. We give our staff yubikeys and require them to use them for services where we have customer data (including logins to our own service).
And we support them for our customers to use, but mandating that all our customers have physical 2FA devices to protect their own accounts is still a bridge very much too far today.
Mandating that everyone that has access to your admin console has a U2F key, on the other hand, seems like a perfectly reasonable expectation for a company of Twitter's stature.
Security always goes against user's convenience, just like the privacy... and in real life, as a rule of thumb people tend to almost always choose convenience, first of anything else...
What you need is a secure client, such as a dedicated tablet that is only used to access that service, along with a tamper-proof self-destruction system and a camera and set of sensors that can identify that only the intended person is present.
Even then the user can still be blackmailed to act in the attacker's interest, so you also need to offer the user a secure place to live in and make sure they are fully happy.
Translation - it’s not fixed. Security through obscurity.
Also timeline says ‘Wednesday’ post-mortem should be accurate to the minute or second.
The internal post mortem will no doubt be accurate down to the second.
That's because it took them almost two hours to stop the attack - doesn't look good.
Like take down the forged messages, fix the hole that let them post them, issue an apology, and compensate the people who had their data stolen. No need to blow this up into something huge.
Fitting video: https://www.youtube.com/watch?v=bLXW2JQ0TZk
Training to prevent these social engineering leaks is definitely critical.
Countless creative ways will be tried and discovered.
This is such a weasel-y answer. “Yes, most of Earth’s population was not affected by this breach” - sure, but those that were affected, how would you be certain that they didn’t have their private information, such as DMs, pulled?
> did the attackers see any of my private information? For the vast majority of people [who we previously mentioned were affected by this hack], we believe the answer is, no.
Therefore, I'm not sure that's a straightforward explanation.
I wonder especially how they could have bypassed their 2FA.
Unless they specifically tell you something, you can't assume it to be the case.
Disagree. The statement could be parsed more applicably as saying:
> The most important question for people who use Twitter is likely — did the attackers see any of my private information? For the vast majority of people [who use Twitter], we believe the answer is, no.
Also, the initial question is about "me". I also never considered that my own data would have been accessible in this attack, I thought they would be discussing about the targeted accounts.
Or was this just people copying and pasting the same message (if so why that rather than retweet)? There were so many every few seconds I assumed it was a script just running through accounts. But --- if it wasn't, what were people hoping to gain? Views on their own profile?
They so carefully avoiding mentioning how they do store passwords that I have to wonder what their security practices are on that front (and the rest). What tools are they available under? You'd think they would've said "passwords are hashed and salted" to rule it out entirely if that was a thing.
Means something to you and me, but means nothing to the average Twitter user who is the audience for this blog post.
If you use unique strong random passwords like those typically chosen by a password store (e.g. 24 alphanumerics) it doesn't matter what password hash is used, it doesn't even matter whether salt was used, because there's no chance anybody else has the same one.
For example here is simple MD5() of a password I use every day, you have no idea what it is, and even very powerful MD5 "reversing" tools won't help you change that.
Good password hashes somewhat protect people who chose bad passwords. They're a mitigation. Your users will choose bad passwords so you need to use a password hash in software you build, but if you never use bad passwords you needn't care whether this or that site used a good hash since it has no impact on your security.
Ask the average joe what it means for something to be in "plain text" and you'd probably get the answer "Oh that's simple, they didn't write it out in cursive!"
I think it most likely means, the passwords are hashed, and the hashes aren't available in this tool. There's undoubtedly other tools that allow people to view the hash, (Mysql command line client is a "tool" after all ;) Although I agree the statement is ambiguous enough, that it could mean things that aren't best practise.
The only other reference to password storage efforts:
> attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.
P.S. I feel bad for the employees who were manipulated to give away the info.
Was the employee able to disable 2FA for their own account?
Was the employee social engineered into adding someone else's 2FA key to their account?
Did the employee read a 2FA code to the attacker, and that somehow enabled all the evil things the attacker did, without any additional checks or 2FA codes?
Did the attacker hack the employee's system and MITM their 2FA code without their knowledge? It doesn't sound like it, because that wouldn't be social engineering.
Get employee's password
"Hey [employee], I'm [coworker] from the security team and we noticed your DUO was locked. I just enabled it, but we want to make sure it works. Hit Approve when you get a notification."
Log in with password
Wait for employee to hit Approve.
The best defense against Phishing seems to be to hire competent people and to train them on that and to establish "No You-Know-Who-You're-Talking-To" policies, as if something gets failed to do by whomever that didn't follow security procedures (example: "CEO" asking for "urgent" favour) is not blamed
For phishing involving malicious websites the answer is not training, it's U2F. For other phishing, yes, training is useful.
Vice Motherboard interviewed the hacker, who claims the Twitter employee was paid to hack the accounts for them:
I don't subscribe to the "nothing to fear, if you have nothing to hide", I had conversations that are not illegal, lewd or even non-politically correct jokes, but would still hate to made public by a 3rd entity; from secrets that were shared by friends, to sensitive data like addresses, or information with clients with NDAs.
Good start, but you need to go much further. You should consider anything on an Internet-connected device could be public at any moment. As we are reminded weekly, there is no such thing as computer security in 2020.
I would be very wary of using their product's DMs now. Considering most journalists use Twitter, I can only hope that no one had used DMs to contact a journalist about something which can put the source in jeopardy.
I don't know how people use DMs on Twitter but if they are anywhere close to the general usage of Signal/WhatsApp/iMessage/Messenger etc. It is incredibly bad for them and something which can kill the platform unless they rethink that completely considering they don't even have E2E.
They don't write about the fact that they let the scam going on for hours destroying lives of people. Locking down the accounts actually helped.the scammers, as the owners of the accounts or other Twitter employees weren't able to delete the scam messages.
It's normal for scammers to pay themselves to make their scam look more legitimate.
If no one steps forward... it's not impossible that they actually didn't manage to scam anyone.
Leaving those messages up for so much time (at least an hour) was unacceptable anyways. When I was holding a pager for a product that impacted millions of people, my job was to mitigate all problems that could affect them as soon as I could.
It's true-- but ... no one?
> Leaving those messages up for so much time (at least an hour) was unacceptable anyways.
It's in stark contrast to how FB wrote the post this week about their SDK crashing a bunch of third party apps. Some PR firm did all sorts of verbal gymnastics to avoid actually apologizing and taking real responsibility by shifting blame. 
>In cases where an account was taken over by the attacker, they may have been able to view additional information
Is kinda downplayed by wording
(Twitter's implementation of Direct Messaging aligns more closely with instant messaging than email, therefore I believe a real deletion feature isn't an unreasonable expectation or ask.)
I feel stupid for just realizing that social media account save previous passwords? How far back does it go?
If you know the value of N (from UI errors trying to reuse one) and want them to get rid of an old hash for some reason then you could reset your password N times.
Joseph Cox at Vice Motherboard is claiming exactly that from his interview with the hackers:
"We used a rep that literally done all the work for us," one of the sources told Motherboard. The second source added they paid the Twitter insider. Motherboard granted the sources anonymity to speak candidly about a security incident. A Twitter spokesperson told Motherboard that the company is still investigating whether the employee hijacked the accounts themselves or gave hackers access to the tool.
How did they initiate a password reset and successfully reset the password to login to the account? They must've had the owners' email passwords too?
EDIT: So they changed the mail associated to the accounts to their own... but the system didnt email out to "old" email to notify them of the action being taken like most companies do?
2FA is meant to protect against someone impersonating you. It is not designed to protect against malicious insider at the org you are trying to prove your identity to
The reality is the public loses credentials and keys all the time and at most companies security takes a back seat to convenience and customer service.
I’m glad this was only 8 accounts — but it’s a good reminder that DMs aren’t encrypted or secure and shouldn’t be used that way.
Can anyone explain to me why the phone number is stored in plain text for them to see?
This is horrible. Twitter forced me at some point to provide my phone number. I never wanted it.
> We became aware of the attackers’ action on Wednesday
No mention of how they detected the incident or what alerted them to the attackers' action?
Obviously this is very implementation specific though, and can't be considered a rule.
Keep in mind, some 4k employees work in this jungle. Don't know what they do apart from just tweeting #lovewhereyouwork
The Dutch politicians fit that description